Security Basics mailing list archives
Re: PHP/MySQL image gallery penetration testing
From: Cory Swanson <cory () spydertechsolutions com>
Date: Thu, 25 Oct 2007 15:44:21 -0600
Simon, May I ask why one would be concerned with being able to download all 4 images from the site at once? You said that they rotate every day so couldn't they just wait a day at a time and Right-Click / Save-As ? Do these images contain important information which someone would want to have right away? I'm sorry but I just can't see why this would be a vulnerability unless you were running an image hosting site like imagevenue.com or something and didn't want people leeching entire galleries at once and eating bandwidth. Perhaps you can provide more information. Cory On Thu, 2007-10-25 at 18:34 +0200, Simon Jolle "sjolle" wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi security list At our site we have 4 images on the website (rotating every day). The webdev department doesn't allow me access to the source (additionally I am a non-programmer) The URL looks http://www.example.com/image.php?src=imagename.png, where imagename.png is random generated. What techniques can be used by a attacker to download every image? What tools can be used to test potential vulnerabilities? cheers Simon - -- actually, I think Windows Vista has done more than virtually any OS release to promote the use of Linux (Slashdot comment, 4. Oct 07) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHIMWEEMN/lNE/wrwRAubcAJ0UXU34ca1ijp4J5fNrgsCsDZwg7QCgh9dd WSbDPq6dZpCGCDKZTsj8tiY= =2mrF -----END PGP SIGNATURE-----
Cory Swanson Director - Spyder Technology http://www.spydertechsolutions.com Office (208) 947-4693 Mobile (208) 695-5110
Current thread:
- PHP/MySQL image gallery penetration testing Simon Jolle "sjolle" (Oct 25)
- Re: PHP/MySQL image gallery penetration testing Cory Swanson (Oct 25)
- Re: PHP/MySQL image gallery penetration testing Simon Jolle "sjolle" (Oct 26)
- Re: PHP/MySQL image gallery penetration testing Daniel Jana (Oct 29)
- Re: PHP/MySQL image gallery penetration testing Simon Jolle "sjolle" (Oct 26)
- Re: PHP/MySQL image gallery penetration testing Cory Swanson (Oct 25)